Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,580
Maven
5,000+
npm
5,000+
NuGet
919
pip
4,816
Pub
13
RubyGems
1,043
Rust
1,251
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,044 advisories

Loading
Apache Airflow exposes SQL stack trace despite "api/expose_stack_traces" set to false Moderate
CVE-2026-30912 was published for apache-airflow-core (pip) Apr 18, 2026
Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries Low
CVE-2026-32690 was published for apache-airflow-core (pip) Apr 18, 2026
Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could... High Unreviewed
CVE-2025-54502 was published Apr 16, 2026
Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution... High Unreviewed
CVE-2026-39911 was published Apr 9, 2026
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration Moderate
GHSA-qqq7-4hxc-x63c was published for openclaw (npm) Apr 9, 2026
threalwinky Credited to threalwinky
Apache Airflow has an authorization bypass in DagRun wait endpoint Moderate
CVE-2026-34538 was published for apache-airflow (pip) Apr 9, 2026
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling Moderate
GHSA-766v-q9x3-g744 was published for praisonaiagents (pip) Apr 8, 2026
offset Credited to offset
Electron: Named window.open targets not scoped to the opener's browsing context Moderate
CVE-2026-34765 was published for electron (npm) Apr 7, 2026
HO-9 Credited to HO-9 and HanJeouk HanJeouk HanJeouk
SandboxJS: Sandbox Escape via Prop Object Leak in New Handler Moderate
CVE-2026-34217 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
chawdamrunal Credited to chawdamrunal
Electron: Context Isolation bypass via contextBridge VideoFrame transfer High
CVE-2026-34780 was published for electron (npm) Apr 3, 2026
A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an... Critical Unreviewed
CVE-2026-20160 was published Apr 1, 2026
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC... High Unreviewed
CVE-2026-33573 was published Mar 29, 2026
OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts Moderate
CVE-2026-35658 was published for openclaw (npm) Mar 26, 2026
YLChen-007 Credited to YLChen-007
Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications High
CVE-2026-28779 was published for apache-airflow (pip) Mar 17, 2026
OpenClaw: Gateway `agent` calls could override the workspace boundary High
GHSA-2rqg-gjgv-84jm was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
Exposure of resource to wrong sphere in the UEFI PdaSmm module for some Intel(R) reference... Moderate Unreviewed
CVE-2025-22444 was published Mar 11, 2026
AVideo: Unauthenticated PHP session store exposed to host network via published memcached port High
CVE-2026-29093 was published for wwbn/avideo (Composer) Mar 5, 2026
bugbunny-research Credited to bugbunny-research
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly... Moderate Unreviewed
CVE-2026-2297 was published Mar 5, 2026
OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations High
GHSA-3jx4-q2m7-r496 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
Dark Reader gives users the ability to request style sheets from local web servers Low
CVE-2025-68467 was published for darkreader (npm) Mar 4, 2026
Skill-scanner Unsecured Network Binding Vulnerability Moderate
CVE-2026-26057 was published for cisco-ai-skill-scanner (pip) Feb 17, 2026
RichardoC Credited to RichardoC and vineethsai7 vineethsai7 vineethsai7
Binding to an unrestricted ip address in Azure IoT SDK allows an unauthorized attacker to... Moderate Unreviewed
CVE-2026-21528 was published Feb 10, 2026
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json High
CVE-2026-25725 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner High
CVE-2025-61917 was published for n8n (npm) Feb 4, 2026
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl High
CVE-2026-25253 was published for clawdbot (npm) Feb 2, 2026
DepthFirstDisclosures Credited to DepthFirstDisclosures, 0xacb, and mavlevin 0xacb 0xacb
mavlevin mavlevin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database